In a slight saving grace, one of the attacks is dependent on the user downloading a malicious app from the SmartThings store, or by following a malicious link. Once the malicious app is downloaded, an attacker could effectively conduct a remote assault from anywhere in the world.

Understandably, Samsung have been defensive about the critical security issues, claiming that it is operating in full knowledge of the problems and that they are being actively removed.

Is that good enough? Or should Samsung, a multinational technology company be actively investigating why their products are seemingly shipping with security bugs? Let’s take a look.

Multiple Vulnerabilities

Security researchers at the University of Michigan devised several proof-of-concept exploits focused on exposing any potential failings in the Samsung SmartThings ecosystem. As one of the largest manufacturers of IoT Ready (Internet of Things) devices, including fridges, thermostats, ovens, security doors, locks, panels, sensors, and so much more, it will come as no surprise that their security credentials are under scrutiny.

The researchers confirmed the faults were caused by two intrinsic design flaws in the SmartThings ecosystem. What’s more is that the two intrinsic design flaws aren’t necessarily easy to fix.

Another exploit included exploitation of a vulnerability to turn “vacation mode” off, demonstrating access to high-level permissions. Once access to “vacation mode” is granted to an attacker, they can mitigate any pre-programmed vacation defence modes, such as randomly cycling lights throughout the house, or opening and closing blinds to simulate an occupied residency.

These “over-privilege” apps create a significant security issue, though it is often not entirely the fault of the designer. Atul Prakash, University of Michigan professor of computer science and engineering explained it like so:

“The access SmartThings grants by default is at a full device level, rather than any narrower. As an analogy, say you give someone permission to change the light bulb in your office, but the person also ends up getting access to your entire office, including the contents of your filing cabinets.”

The Samsung Response

As you would expect, Samsung have been protective over their Internet of Things interests. The SmartThings statement is as follows:

“Protecting our customers’ privacy and data security is fundamental to everything we do at SmartThings. We are fully aware of the University of Michigan/Microsoft Research report and have been working with the authors of the report for the past several weeks on ways that we can continue to make the smart home more secure as the industry grows.

The potential vulnerabilities disclosed in the report are primarily dependent on two scenarios – the installation of a malicious SmartApp or the failure of third party developers to follow SmartThings guidelines on how to keep their code secure.

Regarding the malicious SmartApps described, these have not and would not ever impact our customers because of the certification and code review processes SmartThings has in place to ensure malicious SmartApps are not approved for publication. To further improve our SmartApp approval processes and ensure that the potential vulnerabilities described continue not to affect our customers, we have added additional security review requirements for the publication of any SmartApp.

As an open platform with a growing and active developer community, SmartThings provides detailed guidelines on how to keep all code secure and determine what is a trusted source. If code is downloaded from an untrusted source, this can present a potential risk just like when a PC user installs software from an unknown third party website, there’s a risk that software may contain malicious code. Following this report, we have updated our documented best practices to provide even better security guidance to developers.”

Small SmartApp Study

The research team even completed an admittedly extremely small study of people using SmartApps, gauging their attention to the permissions they were granting.

Shockingly, 20 of the 22 people interviewed would let a battery monitoring app check the status of smart locks installed in their premises, on the premise the app would send door access codes to a remote server. It may be a case of users not committing their due diligence for personal security, more so when it involves the potential for serious loss, or at worst, personal danger.

“Smart home devices and their associated programming platforms will continue to proliferate and will remain attractive to consumers because they provide powerful functionality. However, the findings in this paper suggest that caution is warranted as well — on the part of early adopters, and on the part of framework designers. The risks are significant, and they are unlikely to be easily addressed via simple security patches.”

Gavin is the Technology Explained Editor, as well as a Security and Windows regular. He has a Contemporary Writing degree pillaged from the hills of South Devon, but now resides in the deepest depths of Cornwall, calling Penzance his home. In a 10-year writing career he has covered real estate,…